CVE-2024-4841
Published: 23 June 2024
Summary
CVE-2024-4841 is a low-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lollms Lollms-Webui. Its CVSS base score is 3.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: RAG Poisoning (AML.T0070), False RAG Entry Injection (AML.T0071), Reverse Shell (AML.T0072).
Deeper analysis
A Path Traversal vulnerability tracked as CVE-2024-4841 affects the parisneo/lollms-webui application in versions v9.6 through the latest release. The flaw resides in the add_reference_to_local_mode function, which fails to sanitize the path parameter supplied in HTTP requests to the /add_reference_to_local_model endpoint, allowing directory traversal under CWE-29. The issue received a CVSS 3.1 score of 3.3 reflecting local attack vector, low complexity, and limited confidentiality impact.
An authenticated local user can exploit the weakness by submitting crafted path values to enumerate folders, subfolders, and files present on the host system. No user interaction is required, and the attack remains confined to information disclosure without direct modification or denial-of-service effects.
The associated EPSS score has stayed low, reaching a peak of 0.0934 and currently sitting at 0.0846. Public details are available in the referenced huntr.com bounty reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44422
Vulnerability details
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and…
more
files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- parisneo/lollms-webui is an open-source WebUI platform for running and managing Large Language Models (LLMs) locally, fitting 'Other Platforms' as it provides a user interface and endpoints for AI model handling, confirmed AI-related via AI/ML bug bounty context.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path Traversal vulnerability in the 'path' parameter allows unauthorized enumeration of folders, subfolders, and files on the victim's local file system.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.